Hi folks, I was wondering if anyone has experience...
# ory-networkb
best-daybreak-48618
03/27/2025, 7:10 PMHi folks, I was wondering if anyone has experience setting up a custom domain for their project.
My specific question is how long does it usually take for the domain verification to pass?
My domain is hosted on Godaddy and I added a CNAME record to it 12 hours ago, but the Ory verification is still pending. I'd appreciate any input here, instead of waiting and then realizing I did some setup wrong. Thanks!
The CNAME record in Godaddy:
best-daybreak-48618
03/28/2025, 1:30 AMStill no luck with the verification. I'd appreciate any pointers I can get.
m
magnificent-energy-493
03/28/2025, 3:40 PM
did you check the docs here https://www.ory.sh/docs/guides/custom-domains#troubleshooting ?
b
best-daybreak-48618
03/28/2025, 3:50 PMyes I followed the steps there and my domain is still not verified
best-daybreak-48618
03/28/2025, 3:50 PMI am happy to pay for support at this point to get help
best-daybreak-48618
03/28/2025, 4:29 PM@magnificent-energy-493 could you connect me with someone who can help me diagnose the issue?
m
magnificent-energy-493
03/28/2025, 5:51 PM
Sure I will create an internal ticket as well - but to be honest it probably won't be looked at until Monday as its already Friday evening/end of week for most of the dev staff and urgent pings (aka production outages) are handled by the 24/7 support team through our support ticketing platform.
You can ofc upgrade to the Growth plan to get access to the ticketing system, but normally not really the intention for an upgrade...
Really sorry this is blocking you now. I will check if I can find some other materials that might help you.
magnificent-energy-493
03/28/2025, 5:54 PM
Did you confirm that you do not have any CAA records in your domain that block issuance as described in the doc @best-daybreak-48618?
magnificent-energy-493
03/28/2025, 5:54 PM
magnificent-energy-493
03/28/2025, 5:56 PM
use this command to check:
dig +noall +answer <http://example.com|example.com> caapki.googb
best-daybreak-48618
03/28/2025, 6:21 PMyes I confirmed that already
best-daybreak-48618
03/28/2025, 6:22 PM Copy code
dig +noall +answer <http://auth.staging.sway.app|auth.staging.sway.app> caa
<http://auth.staging.sway.app|auth.staging.sway.app>. 1800 IN CNAME charming-lalande-c8jne8pfmu.projects.oryapis.com.m
magnificent-energy-493
03/28/2025, 6:45 PM
what is the response for
dig +noall +answer <http://sway.app|sway.app> caas
stocky-king-5626
03/28/2025, 6:56 PMI just checked in Cloudflare, and the error message states that a CAA record is blocking the cert’s issuing.
Copy code
CAA records block issuance. Please remove all CAA records or add records for this authority (pki.goog)stocky-king-5626
03/28/2025, 6:58 PM Copy code
❯ dig <http://staging.sway.app|staging.sway.app> caa
; <<>> DiG 9.10.6 <<>> <http://staging.sway.app|staging.sway.app> caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39953
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;staging.sway.app. IN CAA
;; ANSWER SECTION:
<http://staging.sway.app|staging.sway.app>. 1799 IN CNAME <http://cname.vercel-dns.com|cname.vercel-dns.com>.
<http://cname.vercel-dns.com|cname.vercel-dns.com>. 1799 IN CAA 0 issue "<http://globalsign.com|globalsign.com>"
<http://cname.vercel-dns.com|cname.vercel-dns.com>. 1799 IN CAA 0 issue "<http://letsencrypt.org|letsencrypt.org>"
<http://cname.vercel-dns.com|cname.vercel-dns.com>. 1799 IN CAA 0 issue "<http://sectigo.com|sectigo.com>"stocky-king-5626
03/28/2025, 7:01 PMYou either have to remove the CAA records or add
Copy code
<http://auth.staging.sway.app|auth.staging.sway.app>. IN CAA 0 issue "pki.goog"stocky-king-5626
03/28/2025, 7:18 PMCAA records are hierarchical, and the “closest” CAA record to the domain you want to create the TLS cert for is used.
https://www.ory.sh/docs/guides/custom-domains#what-must-i-do-if-my-domain-is-configured-with-a-caa-record
https://letsencrypt.org/docs/caa/#where-to-put-the-record
Copy code
Note that the CA will always respect the CAA record closest to the domain name it is issuing a certificate for. So if you're requesting a cert for "www.community.example.org", the CA will check "www.community.example.org", then "community.example.org", then "example.org", stopping at the first CAA record it finds.b
best-daybreak-48618
03/28/2025, 9:33 PMok thanks for the help, let me do that and report back to you.
best-daybreak-48618
03/28/2025, 10:24 PMThis looks as expected now, I am going to wait a few hours to see if the verification goes through
s
stocky-king-5626
03/28/2025, 10:44 PMworks, I can access our ui: https://auth.staging.sway.app/ui/welcome
b
best-daybreak-48618
03/28/2025, 10:54 PMYes!
best-daybreak-48618
03/28/2025, 10:54 PMthanks a lot for the late Friday help on debugging!
best-daybreak-48618
03/28/2025, 10:54 PMCan I buy you all a cup of coffee or something?
s
stocky-king-5626
03/29/2025, 10:37 AMAll good, we are happy you got it working.
3 Views